07. Communicating and Reporting on IS Audits
07.01. Identifying IS Audit Findings
Briefly reflect on the following before we begin:
- What are the key elements that make an audit finding significant?
- What factors determine the severity level of an audit finding?
- How do Audit Findings’ Five Cs (condition, cause, criteria, consequences, and corrective action) contribute to effective audit reporting?
Audit findings are the results obtained from the audit process, revealing insights into the organization’s information systems, processes, and controls. They are pivotal in determining the health and integrity of an organization’s IS environment. As such, auditors must possess a keen eye for detail and a robust understanding of what constitutes a finding of significance. Thus, this section will discuss the intricate process of uncovering, experiencing, and documenting these findings to equip you with the knowledge and skills necessary to identify significant audit findings effectively and efficiently.
A key aspect of identifying audit findings is understanding their nature and role, involving comprehending the purpose of audit findings, which goes beyond merely pointing out flaws or non-compliance. They serve as a tool for organizational improvement, offering insights and directions for enhancing IS practices. Therefore, auditors must approach findings not as ends but as means to promote better IS governance and risk management. The Five Cs of IS audit findings (condition, cause, criteria, consequences, and corrective action) constitute a framework that aids auditors in crafting clear, concise, concrete, complete, and correct audit findings. It ensures the findings are well-documented, actionable, and understandable to stakeholders. Each of these ‘Cs’ plays a crucial role in shaping findings that drive value and improvement in the audited organization.
Classifying the severity of findings is another critical step in the audit process, as it helps prioritize issues and allocate resources effectively. It involves assessing the impact and likelihood of each finding and categorizing them as critical, high, medium, or low. This classification aids in efficiently managing risks and guides the formulation of recommendations. Documenting preliminary findings involves recording observations and insights gained during the audit in a structured and coherent manner. It is about capturing data and synthesizing information into meaningful insights. Proper documentation of preliminary findings lays the groundwork for developing the final audit report.
Lastly, we will reinforce throughout this section that identifying audit findings is an analytical and critical thinking exercise. It involves identifying what is wrong and understanding why and how it can be rectified. It requires a deep understanding of the organization’s information systems, a keen analytical mind, and a systematic approach to problem-solving. Auditors must consider the specific circumstances and nuances of each organization. A significant finding in one context might be less critical in another. Therefore, auditors must thoroughly understand the business, its environment, and its unique challenges. Also, professional judgment must be balanced in identifying audit findings. Auditors must discern which findings are genuinely significant and require attention. This judgment is honed through experience, knowledge, and an understanding of auditing standards and best practices.
The Nature and Role of Audit Findings
An audit finding is an outcome or result an auditor identifies during an audit. These findings should be based on evidence collected and analyzed against specific criteria, such as laws, regulations, or established internal controls and procedures. They are the building blocks of the audit report and play a critical role in the decision-making process within an organization. They provide an objective basis for assessing the effectiveness and efficiency of processes and controls within an organization’s IS environment. Findings help identify areas where the organization excels and, more importantly, areas that require improvement. They are instrumental in risk management and compliance, ensuring the organization adheres to relevant laws, regulations, and industry standards.
Audit findings can vary widely in nature and scope. They can range from simple procedural discrepancies to complex security vulnerabilities. Some common findings include non-compliance with policies, inefficiencies in processes, inadequate controls, and potential areas for cost savings. These findings shape the organization’s strategies and decisions regarding its IS landscape.
The primary role of audit findings is to provide insights into the functioning of an organization’s IS as they highlight issues that need attention, areas where controls might be lacking, and processes that are not as effective as they could be. This insight is invaluable for management to make informed decisions about resource allocation, process improvements, and policy adjustments. Another critical role of audit findings is facilitating accountability and transparency within the organization. They serve as a check and balance, ensuring the organization operates according to its objectives, standards, and regulatory requirements.
Audit findings are about identifying problems and proposing solutions and improvements as they allow the organization to strengthen its IS controls, optimize processes, and enhance overall performance. Effective auditors not only point out issues but also work with management to develop actionable recommendations for improvement. Findings also play a significant role in shaping the organization’s risk management strategies. Identifying areas of vulnerability and potential risks allows the organization to proactively address these issues before they escalate into significant problems. Clear, concise, and constructive communication is essential for auditors to present findings in a manner that is understandable and relevant to the stakeholders. This involves avoiding technical jargon, providing context, and highlighting the implications of the findings.
Lastly, an essential aspect of audit findings is their contribution to continuously improving an organization’s IS environment, as each finding provides an opportunity to learn and grow. Organizations that effectively leverage audit findings are better positioned to adapt to changes, improve efficiency, and comply with evolving standards and regulations.
The Importance of Accurate and Objective Audit Findings
As discussed throughout this textbook, an IS audit is an independent and systematic examination of an organization’s information systems, processes, and controls. Its primary purpose is to assure stakeholders that these systems operate effectively and securely and comply with relevant standards and regulations. Achieving this assurance relies on the IS auditor’s generation of audit findings that are both accurate and objective.
IS audit findings serve as both the outcome of our assurance practices and the means to represent identified risks, vulnerabilities, and potential impacts clearly and concisely. Moreover, they are also led in providing value-added recommendations to management to facilitate the achievement of organizational objectives. Thus, at the core of IS auditing is our ability to capture audit findings accurately and objectively.
Accurate Findings
Accuracy in audit findings refers to the precision and correctness with which auditors identify and document issues, weaknesses, or vulnerabilities within the audited systems. It includes the meticulous gathering of evidence, the rigorous analysis of data, and the unbiased interpretation of results. It forms the basis for informed decision-making, risk assessment, and control improvement.
Accurate findings are achieved through a rigorous and systematic audit process involving careful planning, risk assessment, and applying audit techniques tailored to the specific systems under scrutiny. It requires attention to detail, a thorough understanding of the audit objectives, and a commitment to objectivity.
Objective Findings
Objectivity in audit findings implies that they are free from bias, prejudice, or undue influence. They are the product of a fair and impartial assessment of the audited systems and controls. Objectivity requires that the audit process remains independent and credible, instilling trust in the findings among stakeholders.
Maintaining objectivity can be challenging, especially when auditors encounter pressure, conflicts of interest, or organizational politics. Therefore, auditors must resist any such influences and adhere to the principles of objectivity. Objectivity requires auditors to base their findings solely on evidence and facts, irrespective of personal opinions or external pressures.
By identifying areas of weakness or non-compliance, accurate and objective IS audit findings provide clear guidance on where corrective actions are needed. They facilitate informed decision-making based on reliable information, reducing the risk of ill-advised investments or neglect of critical issues. They also identify vulnerabilities and weaknesses that, if addressed, could lead to security breaches, data loss, or operational disruptions. Collectively, they instill confidence among internal, external, or regulatory stakeholders.
The Five Cs of Effective Audit Findings
Formulating IS Audit findings using the Five Cs framework (Condition, Cause, Criteria, Consequence, and Corrective Action) provides a structured approach to identifying and articulating audit findings. Let’s explore each of these Cs to understand better how they contribute to the effectiveness of IS audit findings.
Condition (What)
“Condition” refers to the specific issue or situation identified during the audit. It is the factual evidence observed by the auditor.
Detailing the condition involves describing what the auditor has found clearly and precisely. It’s about stating the facts as they are, without interpretation or judgment. This clarity is crucial for ensuring that the finding is grounded and verifiable.
Cause (Why)
“Cause” delves into the reason behind the condition and answers why the issue exists. Understanding the cause is essential for addressing the root of the problem rather than just its symptoms.
It requires a deep understanding of the organization’s processes and systems. It’s about connecting the dots between the condition and the underlying factors that led to it.
Criteria (What Should Be)
“Criteria” refers to the standard or benchmark against which the condition is evaluated. It could be company policies, industry standards, legal requirements, or best practices that set expectations for what should happen.
Criteria are essential for establishing the gap between the current state (condition) and the desired state.
Consequence (So What)
“Consequence” is about the impact or ramifications of the condition. It answers the question of the implications if the issue is not addressed. Consequences, including financial losses, reputational damage, regulatory penalties, or operational disruptions, can be wide-ranging. They help stakeholders understand the urgency and importance of addressing the findings. As well as in driving action and garnering support for changes.
Corrective Action (Now What)
“Corrective Action” involves proposing steps to rectify the condition. Corrective actions should be realistic, practical, and tailored to the organization’s context. Effective disciplinary actions consider the organization’s circumstances, resources, and capabilities. They also involve a timeline and a responsible party to implement the action effectively.
Using the Five Cs Model
Integrating the Five Cs into audit findings is a skill that auditors develop with experience and involves identifying and documenting each ‘C’ and understanding how they interconnect. Each ‘C’ builds upon the previous one to create a comprehensive picture of the audit finding. A well-articulated finding using the Five Cs approach provides a clear, complete, and compelling case for why an issue is essential and what needs to be done. It makes the finding actionable and understandable, enhancing the likelihood of it being addressed effectively.
Let’s walk through an example of a finding identified during an IS audit and attempt to draft the audit finding using the 5 Cs model:
Scenario:
GlobalTech Solutions recently expanded its business operations, necessitating enhancements to its existing accounting system. The company employed a team of programmers for system upgrades and modifications. During an IS audit of the accounting system, an alarming issue was discovered related to the segregation of duties (SoD). A programmer on the system upgrade team had unrestricted access to the production environment of the accounting system. This access allowed the programmer to make unauthorized changes directly to the production environment without the necessary oversight or approval from the finance department.
Under pressure to meet tight deadlines, the programmer bypassed standard testing and approval procedures to expedite the deployment of changes. Some of these changes inadvertently introduced errors in financial reporting, impacting the integrity of financial data. This breach in the segregation of duties protocol exposed the accounting system to risks of unauthorized alterations, potential fraud, and data integrity issues.
Audit Finding Documentation:
Based on the facts provided in the scenario above, the audit finding can be documented as follows:
Condition (What)
The IS audit discovered that a programmer had unauthorized access to make changes in the accounting system’s production environment.
Cause (Why)
This situation occurred due to a lack of proper segregation of duties and inadequate configuration of access controls during the system upgrade process. The programmer was granted higher access privileges than necessary, leading to this breach.
Criteria (What Should Be)
According to best practices in IS governance and internal control frameworks, such as COBIT, strict segregation of duties should be maintained, especially in sensitive systems like accounting. Access to production environments should be tightly controlled and monitored.
Consequence (So What)
The unauthorized access and subsequent changes made by the programmer led to errors in financial reporting, undermining the integrity of financial data. This breach could lead to financial inaccuracies, damage to the company’s reputation, and non-compliance with regulatory standards.
Corrective Action (Now What)
Immediate revocation of the programmer’s access to the production environment is recommended. A thorough review and restructuring of access control policies should be conducted to ensure proper segregation of duties. Regular audits should be instituted to monitor compliance with these policies. Additionally, awareness programs for IT and finance teams on the importance of SoD and access controls in sensitive systems are advised.
Classification of Findings (Severity Levels)
Classification of IA audit findings is pivotal in guiding organizations to prioritize and address issues effectively. Let’s explore the concept of severity levels in audit findings, the criteria used for classification, and its importance in the audit process. Severity levels in audit findings essentially categorize issues based on their impact and urgency. Generally, severity levels are classified into the following four categories :
Classification Severity Levels
Critical Findings
These findings indicate a severe problem that poses an immediate and significant risk to the organization. They often involve violations of law or regulations, major security breaches, or significant financial losses. Immediate action is required to address these findings.
High-Risk Findings
High-severity findings are severe but may have a limited impact, like critical findings. They still represent a significant risk and require prompt attention. This category often includes issues like significant non-compliance with internal policies or the potential for considerable reputational damage.
Medium-Risk Findings
Medium severity findings are concerns that have a moderate impact and risk level. These issues are essential but may take time to take action. They often involve procedural lapses or inefficiencies that could be improved.
Low-Risk Findings
Low-severity findings are minor issues with minimal risk or impact. These findings are often more about optimization and minor improvements rather than urgent fixes.
The classification of audit findings into severity levels should be determined using a structured manner, including the following criteria:
- Impact: The potential damage or consequence of the finding on the organization. This includes financial loss, reputational damage, or operational disruption.
- Likelihood: The probability of the risk associated with the finding materializing. A high probability of occurrence often results in a higher severity level.
- Compliance: The degree to which the finding reflects non-compliance with laws, regulations, or internal policies. Severe non-compliance issues are often rated higher.
- Scope: The extent or breadth of the finding within the organization. Issues affecting multiple departments or systems may be rated more severe.
Classifying findings by severity ensures that resources are allocated appropriately to address the most critical issues for operational continuity and regulatory compliance. Moreover, severity classification helps communicate the urgency and importance of audit findings to stakeholders by providing a clear and structured way to present audit results, facilitating better decision-making and planning.
Classifying findings by severity has its challenges. One significant challenge is subjectivity. IS auditors may assess the severity of findings differently based on their experience and perspective. To mitigate this, progressive IS audit functions must develop standardized criteria and scales for severity classification. Another challenge is the dynamic nature of risks. The severity of a finding can change over time as the organization’s environment and external factors evolve. Continuous monitoring and reassessment are therefore necessary.
To address these challenges and ensure findings are classified effectively, IS auditors must strive to apply the same criteria and standards across all findings to ensure consistency in classification. They must also clearly document the rationale behind the severity classification for each finding. Involving relevant stakeholders in the classification process to comprehensively understand the impact and context also serves as a mitigating solid practice. Lastly, IS auditors must be open to re-evaluating the severity of findings as new information emerges or as the organizational context changes. By mastering this aspect of auditing, future IS auditors can significantly contribute to their organizations’ risk management and improvement efforts.
Documenting Preliminary Audit Findings
To tie in all relevant concepts discussed so far, this section delves into the importance, methodology, and best practices in documenting preliminary audit findings, providing a comprehensive guide for students and future auditors.
As discussed earlier, audit findings are the observations and insights auditors gather during the audit process. Documenting these findings is crucial since they provide the evidence base for the final audit report. They are the raw data that support the auditor’s conclusions and recommendations. Robust documentation also records what was observed, analyzed, and concluded at a particular time. This is valuable for future audits and understanding the historical context of issues. Well-documented findings also facilitate communication among audit team members and with stakeholders. A well-documented audit trail enhances the transparency of the auditing process and holds the auditors accountable for their observations and conclusions.
While each IS audit function may have preferences and guidance published in terms of “how” to document audit findings sufficiently and appropriately, some of the common elements that should be part of such guidance are presented below:
- Gathering Evidence: IS Auditors should collect data, screenshots, system logs, interviews, and other relevant information that substantiate the findings.
- Organizing Information: Gathered information should be arranged coherently and logically. This could involve categorizing findings by systems, processes, or risk areas.
- Descriptive Writing: IS Auditors should describe the findings clearly and concisely, avoiding technical jargon. The goal is to make the documentation understandable to a broad audience.
- Initial Analysis: An initial analysis of the findings must be provided, including identifying potential causes, impacts, and risks associated with the findings.
- Referencing Criteria: IS Auditors must link each finding to the relevant audit criteria, such as policies, procedures, laws, or standards. This contextualizes the findings within the scope of the audit.
Typically, documenting findings as soon as possible after they are observed ensures the accuracy and completeness of the information. IS Auditors should maintain an unbiased tone in their documentation to avoid making assumptions or drawing premature conclusions. They should use clear and precise language, leaving no room for ambiguity. IS Auditors are expected to handle sensitive information carefully, respecting confidentiality and data protection regulations. Lastly, IS auditors should use a standardized format for documentation. This might include templates or predefined structures that ensure consistency across the audit.
In the Spotlight
For additional context on the importance of application controls, please read the article “Audit Findings: Everything You Need to Know” [opens a new tab].
Maya, G. (2022, October). Audit findings: everything you need to know. IT Gov Docs. https://www.itgov-docs.com/blogs/it-governance/audit-findings-everything-you-need-to-know
Key Takeaways
Let’s recap the key concepts discussed in this section by watching this video.
Source: Mehta, A.M. (2023, December 6). AIS OER ch 07 topic 01 key takeaways [Video]. https://youtu.be/W3DissDgGSU
Knowledge Check
Review Questions
- Explain how the “Condition” aspect of the Five Cs of Audit Findings contributes to the effectiveness of an audit report.
- Describe the importance of classifying audit findings into different severity levels.
- How does maintaining an unbiased tone in documenting preliminary findings enhance the audit process?
Mini Case Study
GlobalTech Solutions is a mid-sized software development company specializing in developing cloud-based solutions for healthcare providers. The company has a significant online presence and relies heavily on its information systems for software development, customer support, data storage, and internal communications. Due to recent regulatory changes in healthcare data management and privacy, GlobalTech Solutions initiated an internal audit of its information systems. The audit aimed to assess compliance with the new regulations, evaluate the effectiveness of current data security measures and identify areas of improvement in handling sensitive healthcare data.
The Auditors found that the company’s password management policies needed to be consistently enforced. The audit revealed widespread non-compliance with the company’s password policy. Many employees were found using easily guessable passwords that had stayed the same for over a year. Interviews with staff indicated a need for regular monitoring and enforcement of the password policy. The company’s internal password management policy, which aligns with industry standards, mandates strong passwords (at least 12 characters, including numbers, symbols, and both upper- and lower-case letters) and requires them to be changed every 90 days.
Additionally, the auditors discovered that a substantial portion of healthcare data stored in the cloud needed to be encrypted, contrary to industry best practices and regulatory requirements. The lack of encryption is an oversight in the data storage process, possibly due to outdated protocols and the absence of a regular compliance review mechanism. According to healthcare data management regulations and company policy, all sensitive patient data stored in the cloud must be encrypted using industry-standard encryption methods.
Required: Using the above details, prepare a findings and recommendations report using the 5 C’s model.
The process of formally communicating the outcomes of an IS audit, including findings, conclusions, and recommendations, to stakeholders.
Results obtained from the audit process, providing insights into the organization’s IS processes and controls, pivotal in assessing the health and integrity of an organization's IS environment.
The specific issue or situation identified during the audit. It is the factual evidence observed by the auditor. Detailing the condition involves describing what the auditor has found clearly and precisely.
The reason behind the condition and answers why the issue exists. Understanding the cause is essential for addressing the root of the problem rather than just its symptoms.
The standard or benchmark against which the condition is evaluated. It could be company policies, industry standards, legal requirements, or best practices that set expectations for what should happen.
The impact or ramifications of the condition. It answers the question of the implications if the issue is not addressed.
Involves proposing steps to rectify the condition. Corrective actions should be realistic, practical, and tailored to the organization’s context.
These findings indicate a severe problem that poses an immediate and significant risk to the organization. They often involve violations of law or regulations, major security breaches, or significant financial losses.
High-severity findings are severe but may have a limited impact, like critical findings. They still represent a significant risk and require prompt attention.
Medium severity findings are concerns that have a moderate impact and risk level. These issues are essential but may take time to take action.
Low-severity findings are minor issues with minimal risk or impact. These findings are often more about optimization and minor improvements rather than urgent fixes.
The process of categorizing audit findings as critical, high, medium, or low based on impact and likelihood, guiding the formulation of recommendations and risk management.